OCR HIPAA Violation Checklist: Risk Assessment, Breach Notification, and Corrective Action Plans

This OCR HIPAA Violation Checklist helps you operationalize privacy and security obligations across people, process, and technology. Use it to evaluate risk, meet breach notification requirements, and drive corrective action plan development that stands up to audits and HIPAA enforcement actions.

Conduct Comprehensive Risk Assessments

Define scope and inventory assets

Start by identifying all locations where protected health information is created, received, maintained, or transmitted, with emphasis on electronic protected health information across systems, cloud services, medical devices, endpoints, and vendors. Build a living asset inventory and data-flow map to show how ePHI moves end‑to‑end.

• Include applications, databases, integrations, backups, and removable media.
• Catalog business associates, their services, and contract status (BAAs).
• Document user roles and authorized purposes to support minimum necessary access.

Analyze threats, vulnerabilities, and impact

Evaluate threats (e.g., phishing, ransomware, insider misuse) against known vulnerabilities (misconfigurations, missing encryption, excessive access). Estimate likelihood and impact, then assign risk ratings to each scenario affecting confidentiality, integrity, and availability.

• Consider administrative safeguards (policies, training, sanctions) as well as technical and physical controls.
• Assess vendor and cloud dependencies, including incident and continuity provisions.

Plan treatment and document decisions

Create a risk management plan that specifies mitigation actions, owners, timelines, and evidence of completion. Note residual risk you accept, with rationale. Maintain a full risk analysis report, supporting worksheets, and approvals for audit readiness.

Refresh on a defined cadence

Perform an enterprise-wide analysis at least annually and whenever major changes occur—new systems, mergers, cloud migrations, relocations, or material incidents. Integrate results into budgeting, project gating, and leadership reporting.

Implement Breach Notification Procedures

Determine whether an incident is a breach

When PHI is impermissibly used or disclosed, presume a breach unless a documented assessment shows a low probability of compromise. Evaluate four factors: the nature and extent of PHI involved, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent to which risk was mitigated. Incidents involving unsecured protected health information generally require notification.

Meet timing and content requirements

• Individuals: Notify without unreasonable delay and no later than 60 calendar days after discovery. Include a plain-language description of what happened, types of data involved, steps individuals should take, what you are doing (containment, monitoring, corrective action plan development), and contact options.
• HHS breach reporting: For breaches affecting 500 or more individuals, notify HHS without unreasonable delay and no later than 60 days after discovery; for fewer than 500, report to HHS no later than 60 days after the end of the calendar year.
• Media: If 500+ residents of a state or jurisdiction are affected, provide notice to prominent media in that area within the same 60-day window.

Use appropriate notification methods

Send written notices by first-class mail or email if individuals agreed to electronic delivery. Provide substitute notice if insufficient contact information exists for 10 or more individuals. Track delivery and returned mail to demonstrate diligence.

Document, mitigate, and prevent recurrence

Record your assessment, decisions, and notifications. Offer mitigation where appropriate (e.g., credit monitoring). Feed lessons learned into policies, system hardening, and training to reduce repeat events.

Develop Corrective Action Plans

Identify root causes and scope

Use structured methods (5 Whys, fault tree, or fishbone) to find process, technology, and human contributors. Clarify whether gaps are localized or systemic across departments, vendors, or workflows.

Define actions, owners, and deadlines

• Immediate containment: disable compromised accounts, isolate systems, revoke access, and increase monitoring.
• Remediation: implement encryption, multi-factor authentication, role-based access, and stronger logging for electronic protected health information.
• Process fixes: update policies, revise procedures, improve change control, and harden vendor oversight.
• Training: deliver targeted refreshers tied to the event and embed them in onboarding.

Specify evidence and verification

For each task, define acceptance criteria (screenshots, configurations, test results, sign-offs) and verification steps. Establish checkpoints and completion dates to prove closure.

Align with OCR expectations

Where applicable, structure the plan to mirror typical OCR corrective action plan elements—governance, updated risk analysis, policy rollout, workforce training, monitoring, and reporting—so you are prepared if an investigation or HIPAA enforcement actions require formal oversight.

Ensure Administrative Safeguards

Governance and accountability

Designate privacy and security officers, form a compliance committee, and define decision rights. Set a charter for risk acceptance, exceptions, and escalation paths.

Policies, procedures, and sanctions

Maintain current policies for uses and disclosures, access management, minimum necessary, incident response, breach notification requirements, vendor management, and contingency planning. Enforce a documented sanctions policy when workforce members violate standards.

Vendor and business associate management

Execute BAAs before sharing PHI, perform due diligence, and require incident reporting and security obligations in contracts. Review vendors regularly and manage offboarding to ensure PHI return or destruction.

Contingency and resilience

Implement data backup, disaster recovery, and emergency-mode operations plans. Test them periodically and document outcomes, improvements, and retests.

Strengthen Physical and Technical Protections

Physical controls

Limit facility access, secure workstations, control media, and use clean-desk practices. Track devices that store PHI and verify secure disposal with certificates of destruction.

Access and authentication

Issue unique user IDs, apply multi-factor authentication, enforce least privilege, and review access routinely. Configure automatic logoff where feasible.

Encryption and data protection

Encrypt PHI in transit and at rest. When PHI is encrypted or properly destroyed, it is not considered unsecured protected health information, reducing breach risk exposure. Deploy DLP, email security, and endpoint protection to prevent exfiltration.

Audit, integrity, and change control

Enable audit logs for critical systems, protect log integrity, and routinely review alerts. Patch systems promptly and track configuration changes through a controlled process.

Mobile, cloud, and third parties

Apply MDM with remote wipe, restrict local storage, and validate cloud configurations. Require BAAs, review SOC and security attestations, and disable risky sharing features by default.

Train Workforce on HIPAA Compliance

Role-based, timely training

Provide onboarding and annual refreshers tailored to roles—front desk, billing, clinicians, IT, and leadership. Cover privacy basics, the Security Rule, minimum necessary, secure use of ePHI, and incident reporting.

Behavioral reinforcement

Run simulations (e.g., phishing), conduct knowledge checks, and share short refreshers throughout the year. Publicize lessons learned from incidents to close gaps without blame.

Records and accountability

Track attendance, completion scores, and content versions. Tie training to sanctions and performance management to drive consistent behavior.

Monitor Ongoing Compliance Efforts

Audit and metrics

Schedule internal audits of access, minimum necessary, log reviews, and vendor oversight. Monitor KPIs such as time to patch, incident response times, policy adoption, and closure of risk treatment actions.

Continuous improvement and reporting

Feed monitoring results into your risk analysis, budget planning, and roadmap. Brief leadership regularly and maintain documentation needed for HHS breach reporting, investigations, or due diligence requests.

Retention and evidence

Retain policies, risk analyses, training records, and incident documentation for required periods, and keep them organized for rapid retrieval during audits or investigations.

Conclusion

By executing this OCR HIPAA Violation Checklist—risk assessment, breach notification procedures, corrective action plan development, and balanced safeguards—you create defensible compliance that protects patients, reduces incident impact, and prepares you for scrutiny.

FAQs

What Are the Key Steps in a HIPAA Risk Assessment?

Define scope across all PHI, especially electronic protected health information; inventory assets and data flows; identify threats and vulnerabilities; rate likelihood and impact; prioritize risks; create and execute a mitigation plan with owners and deadlines; document everything; and repeat after major changes and at least annually.

When Must an Entity Notify Individuals of a Breach?

For breaches involving unsecured protected health information, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Report large breaches (500 or more affected) to HHS within the same timeframe and to local media if 500+ residents of a state or jurisdiction are impacted; smaller breaches are reported to HHS within 60 days after the calendar year ends.

What Should Be Included in a Corrective Action Plan?

Root cause analysis; specific remediation and preventive actions; accountable owners; deadlines; required evidence; validation steps; policy and procedure updates; targeted training; monitoring and reporting cadence; and criteria for closure. Align the scope to address systemic issues, not just the immediate incident.

How Does OCR Enforce HIPAA Violations?

OCR investigates complaints, breach reports, and patterns of noncompliance. Outcomes range from technical assistance to resolution agreements that mandate corrective action plans and monitoring, and, when warranted, civil money penalties. Sustained compliance, thorough documentation, and prompt mitigation materially influence enforcement posture.